CVE-2022-43939

HIGH 8.6

⚠️ CISA KEV

Hitachi Vantara Pentaho Business Analytics Server - Use of Non-Canonical URL Paths for Authorization Decisions

CVSS Score

8.6

EPSS Score

0.0%

EPSS Percentile

0th

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.

CWE	CWE-647
Vendor	hitachi vantara
Product	pentaho business analytics server
Published	Apr 3, 2023
Last Updated	Oct 21, 2025

⚠️ Actively Exploited — Act Now

Get instant alerts for hitachi vantara pentaho business analytics server

This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2022-43939.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

Affected Versions

Hitachi Vantara / Pentaho Business Analytics Server

1.0 < 9.3.0.2 9.4.0.0 < 9.4.0.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

support.pentaho.com: https://support.pentaho.com/hc/en-us/articles/14455394120333--Resolved-Pentaho-BA-Server-Use-of-Non-Canonical-URL-Paths-for-Authorization-Decisions-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43939- packetstormsecurity.com: http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.html cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-43939

Credits

Harry Withington, Aura Information Security